Tight Preimage Resistance of the Sponge Construction

Lefèvre, Charlotte; Mennink, Bart

doi:10.1007/978-3-031-15985-5_7

Cited by 9 publications

(2 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This indifferentiability result implies that the hash function based on an ideal primitive behaves like a random oracle. It thus provides security guarantees regarding any one-stage generic attack [RSS11], at least up to 2 c/2 queries (the scheme may achieve higher security against specific attacks, see, e.g., [LM22]).…”

Section: Introductionmentioning

confidence: 99%

Permutation-Based Hashing Beyond the Birthday Bound

Lefevre,

Mennink

2024

ToSC

View full text Add to dashboard Cite

It is known that the sponge construction is tightly indifferentiable from a random oracle up to around 2c/2 queries, where c is the capacity. In particular, it cannot provide generic security better than half of the underlying permutation size. In this paper, we aim to achieve hash function security beating this barrier. We present a hashing mode based on two b-bit permutations named the double sponge. The double sponge can be seen as the sponge embedded within the double block length hashing paradigm, making two permutation calls in parallel interleaved with an efficient mixing function. Similarly to the sponge, the permutation size is split as b = r+c, and the underlying compression function absorbs r bits at a time. We prove that the double sponge is indifferentiable from a random oracle up to around 22c/3 queries. This means that the double sponge achieves security beyond the birthday bound in the capacity. In addition, if c > 3b/4, the double sponge beats the birthday bound in the primitive size, to our knowledge being the first hashing mode based on a permutation that accomplices this feature.

show abstract

Section: Introductionmentioning

confidence: 99%

Permutation-Based Hashing Beyond the Birthday Bound

Lefevre,

Mennink

2024

ToSC

View full text Add to dashboard Cite

show abstract

“…It also implies that the "conventional" hash function attacks like finding collisions, preimages, and second preimages for the sponge construction are not easier than for the random oracle, up to 2 c/2 evaluations [AMP10, Appendix A]. (However, refer to Lefevre and Mennink [LM22] for an improved security bound on the preimage resistance of the sponge construction.) Another implication of the sponge function indifferentiability result is that the construction can be easily used for keyed applications, such as keystream generation and MAC computation [BDPV11b], reseedable pseudorandom sequence generation [BDPV10,GT16], and authenticated encryption [BDPV11a,BDPV12].…”

Section: Introductionmentioning

confidence: 99%

Understanding the Duplex and Its Security

Mennink

2023

ToSC

View full text Add to dashboard Cite

At SAC 2011, Bertoni et al. introduced the keyed duplex construction as a tool to build permutation based authenticated encryption schemes. The construction was generalized to full-state absorption by Mennink et al. (ASIACRYPT 2015). Daemen et al. (ASIACRYPT 2017) generalized it further to cover much more use cases, and proved security of this general construction, and Dobraunig and Mennink (ASIACRYPT 2019) derived a leakage resilience security bound for this construction. Due to its generality, the full-state keyed duplex construction that we know today has plethora applications, but the flip side of the coin is that the general construction is hard to grasp and the corresponding security bounds are very complex. Consequently, the state-of-the-art results on the full-state keyed duplex construction are not used to the fullest. In this work, we revisit the history of the duplex construction, give a comprehensive discussion of its possibilities and limitations, and demonstrate how the two security bounds (of Daemen et al. and Dobraunig and Mennink) can be interpreted in particular applications of the duplex.

show abstract